use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project nifi by apache.
the class RangerNiFiAuthorizer method auditAccessAttempt.
@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
final RangerAccessResult rangerResult;
synchronized (resultLookup) {
rangerResult = resultLookup.remove(request);
}
if (rangerResult != null && rangerResult.getIsAudited()) {
AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);
// update the event with the originally requested resource
event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
event.setResourcePath(request.getRequestedResource().getIdentifier());
defaultAuditHandler.logAuthzAudit(event);
}
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerAtlasAuthorizer method checkAccess.
private boolean checkAccess(RangerAccessRequestImpl request) {
boolean ret = false;
RangerBasePlugin plugin = atlasPlugin;
if (plugin != null) {
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result != null && result.getIsAllowed();
} else {
LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerKafkaAuthorizer method authorize.
@Override
public boolean authorize(Session session, Operation operation, Resource resource) {
if (rangerPlugin == null) {
MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
return false;
}
// TODO: If resource type is consumer group, then allow it by default
if (resource.resourceType().equals(Group$.MODULE$)) {
if (logger.isDebugEnabled()) {
logger.debug("If resource type is consumer group, then we allow it by default! Returning true");
}
return true;
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(resource=" + resource + ")");
}
String userName = null;
if (session.principal() != null) {
userName = session.principal().getName();
}
java.util.Set<String> userGroups = MiscUtil.getGroupsForRequestUser(userName);
String ip = session.clientAddress().getHostAddress();
// skip leading slash
if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
ip = ip.substring(1);
}
Date eventTime = new Date();
String accessType = mapToRangerAccessType(operation);
boolean validationFailed = false;
String validationStr = "";
if (accessType == null) {
if (MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type. operation=" + operation)) {
logger.fatal("Unsupported access type. session=" + session + ", operation=" + operation + ", resource=" + resource);
}
validationFailed = true;
validationStr += "Unsupported access type. operation=" + operation;
}
String action = accessType;
String clusterName = rangerPlugin.getClusterName();
RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
rangerRequest.setUser(userName);
rangerRequest.setUserGroups(userGroups);
rangerRequest.setClientIPAddress(ip);
rangerRequest.setAccessTime(eventTime);
RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
rangerRequest.setResource(rangerResource);
rangerRequest.setAccessType(accessType);
rangerRequest.setAction(action);
rangerRequest.setRequestData(resource.name());
rangerRequest.setClusterName(clusterName);
if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
} else if (resource.resourceType().equals(Cluster$.MODULE$)) {
// NOPMD
// CLUSTER should go as null
// rangerResource.setValue(KEY_CLUSTER, resource.name());
} else if (resource.resourceType().equals(Group$.MODULE$)) {
rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
} else {
logger.fatal("Unsupported resourceType=" + resource.resourceType());
validationFailed = true;
}
boolean returnValue = false;
if (validationFailed) {
MiscUtil.logErrorMessageByInterval(logger, validationStr + ", request=" + rangerRequest);
} else {
try {
RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
if (result == null) {
logger.error("Ranger Plugin returned null. Returning false");
} else {
returnValue = result.getIsAllowed();
}
} catch (Throwable t) {
logger.error("Error while calling isAccessAllowed(). request=" + rangerRequest, t);
}
}
RangerPerfTracer.log(perf);
if (logger.isDebugEnabled()) {
logger.debug("rangerRequest=" + rangerRequest + ", return=" + returnValue);
}
return returnValue;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerKylinAccessRequest method checkPermission.
@Override
public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid, Permission permission) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerKylinAuthorizer.checkPermission( user=" + user + ", groups=" + groups + ", entityType=" + entityType + ", entityUuid=" + entityUuid + ", permission=" + permission + ")");
}
boolean ret = false;
if (kylinPlugin != null) {
String projectName = null;
KylinConfig kylinConfig = KylinConfig.getInstanceFromEnv();
if (AclEntityType.PROJECT_INSTANCE.equals(entityType)) {
ProjectInstance projectInstance = ProjectManager.getInstance(kylinConfig).getPrjByUuid(entityUuid);
if (projectInstance != null) {
projectName = projectInstance.getName();
} else {
if (LOG.isWarnEnabled()) {
LOG.warn("Could not find kylin project for given uuid=" + entityUuid);
}
}
}
String accessType = ExternalAclProvider.transformPermission(permission);
String clusterName = kylinPlugin.getClusterName();
RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType, clusterName, clientIPAddress);
RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
if (result != null && result.getIsAllowed()) {
ret = true;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerKylinAuthorizer.checkPermission(): result=" + ret);
}
return ret;
}
use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.
the class RangerYarnAuditHandler method checkPermission.
@Override
public boolean checkPermission(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
}
boolean ret = false;
RangerYarnPlugin plugin = yarnPlugin;
RangerYarnAuditHandler auditHandler = null;
RangerAccessResult result = null;
String clusterName = yarnPlugin.getClusterName();
RangerPerfTracer perf = null;
RangerPerfTracer yarnAclPerf = null;
if (plugin != null) {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
}
RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, clusterName);
auditHandler = new RangerYarnAuditHandler();
result = plugin.isAccessAllowed(request, auditHandler);
}
if (RangerYarnAuthorizer.yarnAuthEnabled && (result == null || !result.getIsAccessDetermined())) {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
yarnAclPerf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnNativeAuthorizer.isAllowedByYarnAcl(entity=" + entity + ")");
}
ret = isAllowedByYarnAcl(accessType, entity, ugi, auditHandler);
} else {
ret = result != null && result.getIsAllowed();
}
if (auditHandler != null) {
auditHandler.flushAudit();
}
RangerPerfTracer.log(yarnAclPerf);
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
}
return ret;
}
Aggregations